Passwort generator max length

jimonthebarn

"The current maximum length of passwords generated by 1password 6 for windows is 64 characters. I understand that a 64 character password of alphanumerical + symbols is quite safe for now. I was wondering though why the limitation is at 64 characters." ... is what i wanted to write before actually looking into matter. So I did some investigation and stumbled upon GRC's haystack calculator (https://www.grc.com/haystack.htm). I was feeling funny and used 1passwords - password generator based on the maximum search space settings. It turns out even in a massive cracking array scenario (which I presume requires unbelievable processing power and electricity) it would take up to 12.06 million trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack the password. Well thats a whole lot of time for an attacker just to read my emails. :) Thought I'd share this with anyone who is curious like me.

Cheers,
Ben

Further interesting reads on the topic of password security:
https://security.stackexchange.com/questions/46666/at-what-length-does-a-password-stop-making-sense
https://security.stackexchange.com/questions/12994/whats-the-practical-limit-for-rainbow-table-based-bruteforce

---

1Password Version: 6.2.333d
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

dszp

Fortunately, Jeffrey Goldberg, who posted one of the top 3 answers on that thread, is AgileBits' cryptographer, so they know what they're doing pretty well, too :-) Those articles on the math are great until I'm somewhere trying to explain it to someone and I can't find a good one! It does appear that anything 22 characters or longer and fully random with alphanumeric characters is sufficient for literally almost anything. Especially if it's hashed to a 128-bit value for storage on the back-end (likely).

AGAlumB

@jimonthebarn: Thanks for bringing this up! I love this kind of stuff. :)

Indeed, as mentioned by dszp here and others elsewhere (there was a great discussion on this topic recently), 64 characters is beyond overkill at this point. We put an (in)sane limit on this because frankly there has to be some limit due to UI and storage constraints, and 64 gives us plenty of headroom. No doubt we'll raise it in the future, long before it becomes truly necessary. In a perfect world, websites would accept passwords of any length and simply salt and hash them, and 1Password would happily produce an enormous random blob for this purpose...but of course given that 64 characters is already ludicrous, there's no need for us to bloat our vaults in this fashion yet. hehe

analogist

@jimonthebarn There's also another approach to thinking about this via available energy for computation: if we assume information-theoretic limits via Landauer's principle, even if you used up all available mass-energy in the entire solar system, it is only theoretically possible to perform 2^225.2 operations, which corresponds to a 35-digit password (in A-Za-z0-9 + symbols, or 38 digits alphanumeric A-Za-z0-9 only). Basically, given a theoretically perfect computer (in best known physical and mathematical principles), a future civilization will have to use up an entire solar system to crack a single 35-digit password.

This is why 64-character passwords are plenty, and every other part of the security system becomes more important, after a certain password length.

AGAlumB

@analogist: Indeed! While the advent of future technologies may change things, as it stands, 64 characters ought to be enough for anybody (cue Bill Gates jokes). Our own julie-tx had a lot to say on this subject in another discussion as well, in case you're interested. Cheers! :)